Acunetix helps popular email newsletter application “Sendy” tighten its security

Sendy

‘Acunetix allowed us to identify some major vulnerabilities before hackers were able to exploit them. This has made Sendy a far more secure application and hugely reduced the risk of us being breached.’ Ben Ho, Developer, Sendy

Sendy is a self hosted email newsletter application designed to send trackable emails via Amazon Simple Email Service (SES), thus making it possible to send authenticated bulk emails at a lower cost in comparison with other popular online services. The requirements for use are Apache servers using a Unix-based operating system, running PHP and MySQL. With thousands of users worldwide, including large companies hosting the Sendy application on their own networks, it is of vital importance that vulnerabilities are kept in check, since these could have implications for millions of subscribers, in addition to the users of the application.

What would be the implications of a hack?

Since Sendy is a user-hosted largely open-source application, it would be easy for hackers to locate vulnerabilities in the scripts. The implications for users could be as severe as any hack, meaning their sensitive data could be stolen, whereas for Sendy as a provider it could mean loss of customer trust and therefore seriously damaging their reputation and position in the market.

What was discovered with Acunetix?

Acunetix located a number of vulnerabilities in Sendy’s source code, the majority being major SQL Injection and Cross Site Scripting (XSS) vulnerabilities, which are frequently exploited by Hackers. SQL Injection could be used to access the Sendy database, allowing the hacker to, for example, steal the list of users. It could also be used to compromise the server running the application. The Cross Site Scripting (XSS) vulnerability, on the other hand, could be used to steal the cookies of the Sendy administrator, allowing the attacker full control of the Sendy application.

How was it discovered?

Acunetix technology AcuSensor, was used during the scan on Sendy which revealed additional information about the vulnerabilities, such as the SQL query that was used to detect the vulnerability. In addition, through AcuSensor, it was possible to detect the line of code causing the vulnerability from the source files affected.  It also didn’t report any false positives which made work to fix the vulnerabilities much quicker. The increased accuracy is achieved by combining black box scanning techniques with feedback from sensors placed inside the source code while the source code is executed.

What should Sendy users do to stay secure?

As with any software or application, updating to the latest version is essential in ensuring security. The vulnerabilities found in Sendy have now been fixed, so updating the application will ensure there are no vulnerabilities on your machine (at least not in Sendy).

About Sendy

Sendy is an independent software founded by Ben Ho from Hex in Singapore. Hex, founded by Ben Ho and Melly Fong in 2007 started out providing web design and development services until Sendy took over the main business in 2012.